Wireless and remote access in the infrastructure space
I have been spending some time lately researching the growing trend of using wireless and other remote connectivity services in SCADA networks and other control system applications.
Being an Infosec guy, this is hugely concerning.
Subversion of wireless and other remote technologies is very easy relative to a wired network at a facility.
SImple examples of the types of issues we can expect:
- Replay attacks
- DOS attacks
- Unauthorized disclosure
- Additional attack vectors
Some control systems (running a candy making facility, for example) - may not associate very high risk values to these vectors.
But what if you are a water plant, sewage treatment facility, auto manufacturer.
What kind of damage can be done if:
- An attacker can sent arbitrary alarm messages
- An attacker can send arbitrary alarm reset messages
- An attacker can flood the wireless device - preventing alarms from sounding
You get the idea.
On PACE, I just read a post: New software for wireless automation control, regarding Conlab’s U.C.ME product:
U.C.ME-OPC interfaces with any SCADA/HMI, OPC or DDE server to provide efficient, rapid and secure two-way communication with SCADA platforms, remote devices and users, via text messaging (SMS) or telephony, says the company.
Now, from what it looks like, the U.C.ME system does not alter settings on any devices - it’s simply a monitoring tool, but what if your command and control decisions are based on the information coming out of U.C.ME?
I have contacted Conlab for more information and will report back.
For now, it’s best to take some precautions:
- Know that every message sent by your systems over a wireless network will be read by an adversary.
- Assume that all data received from this system, or by this system may be forged.
- Know that not hearing from the system doesn’t mean anything is going wrong, or that hearing from the system means there is a problem.
Essentially: If you use wireless technologies of any tye in the control system space, don’t trust the data at all… Not one bit.
Bill
September 28th, 2008 at 5:42 pm
I find your comments interesting as Water Authorities and Electricity authorities have been using wireless for monitoring and control of remote plants for 20 years plus with no major problems.
September 29th, 2008 at 5:49 am
Mark;
Thanks for the comment.
My background is in IT System Security, and I’ve been getting involved in nuclear power operations.
So, I guess I’m looking at these risks through the lense:
1) NRC beginning to work with FERC on the applicability of NERC CIPs to continuity of power operations.
2) Desire of NRC to apply the NIST SP 800 series of documents to power operations in general.
3) The increasing public visibility into our nation’s critical infrastructure.
It’s my belief that if the regulatory bodies are considering overhauling the risk space in light of new attack vectors, wireless would definitely be on the block.
Wireless in-and-of itself is not bad, but as far as ease of attack goes, it’s pretty simple to subvert.
In systems where the broadcast/receive distances are very short, perhaps wireless is suitable, but I’m seeing/hearing of applications where these devices are meant to transmit/receive over very long distances - increasing the physical attack surface.
In general - security degrades over time. Because no one was breaking into wireless control systems 10 years ago, doesn’t mean they won’t eventually.
The tools and resources for performing scathing attacks on wireless networks are now available to the average geek - take karmetasploit for an example.
Wireless can be fine if the proper processes and procedures are in place to avoid the added risk.
Bill
October 5th, 2008 at 8:33 pm
Dear Bill, I have read your comments regarding U.C.ME. You claim you have contacted us regardng this subject. Could you please advise me when did you contact our office? Best Regards, Motti Gill, Manager.